Facebook reports bug that allowed access to 6 million e-mails and phone numbers

Facebook has just reported about a bug that "may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them."

It's important to note that only phone numbers or e-mails were affected. The bug was present in the Download Your Information (DYI) tool. Facebook has a great explanation of what happened:

When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don't want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

The bug doesn't likely present a huge security risk as the information was provided about people who were already connected with you in some form or another. This means that it probably isn't an issue if their e-mail or phone number shows up in your data; you likely already have it.

Of course, Facebook needs to be careful as they are the stewards of quite a bit of personal and private information. We're glad that it was just phone numbers and e-mails, but Facebook needs to make sure things like this don't happen in the future.